The intersection between cyber security and healthcare is emerging as a pivotal focal point for leaders in both domains.
The value of medical information and patient records has skyrocketed on the dark web, making the healthcare sector an attractive target for cyber criminals.
And it would be safe to say that the criticality of data security in the healthcare industry has never been more apparent.
One recent example is the cyber attack that affected two South England ambulance services.
The attack cut paramedics’ access to patient information, which led to ambulances showing up without the usual level of patient information and history such as allergies, significant health incidents, and medicines.
This article serves to inform and spread awareness regarding the financial and health implications such cyber threats pose to the healthcare sector.
Ransomware attacks that have caused disruptions in hospitals have shown to be one of the causes of patient fatalities, therefore the gravity of the situation is far more grave than just financial ramifications
Additionally, it will provide information about observed cyber criminal behaviour, threat tactics that ransomware groups tend to deploy as part of their attacks, and will give recommendations for trusts on maintaining proper cyber hygiene to mitigate such threats.
The insights shared have been gathered using exclusive data and research conducted by Trustwave SpiderLabs in its threat report: Cybersecurity in the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape.
The impacts – fatal and financial
Due to the sensitive nature of healthcare data, as well as the regulatory and financial requirements that healthcare organisations must comply with; the financial impact of a breach in the healthcare industry far surpasses other industries, according to data from the Ponemon Institute, which approximates a grand figure of £8.6m per incident, marking a substantial 53% increase in the cost of a breach since 2020.
And, in 2017, the WannaCry cyber attack on NHS hospitals approximated up to £6m in impact alone.
From the cost of forensic investigations, to reputational damage and control; the financial ramifications are immense.
Additionally, the loss of patient trust impacts business and, ultimately, can hinder the trust in healthcare organisations.
Ransomware attacks in healthcare have become increasingly more targeted, with attackers conducting reconnaissance to identify and extort the most-vulnerable targets
More importantly, those in need of healthcare will be less likely to seek out professional help, thereby affecting patients’ health and lives.
Not to mention that ransomware attacks that have caused disruptions in hospitals have shown to be one of the causes of patient fatalities, therefore the gravity of the situation is far more grave than just financial ramifications.
The shift in cyber criminal behaviour
Ransomware became a substantial threat in the mid-2000s with the emergence of malware groups such as Vundo and WinLock.
These attacks were relatively unsophisticated as they relied on simple encryption to lock victims out of their files.
But, with time and evolving technology, ransomware attacks have not only become more sophisticated, but all the more devastating to victims.
In 2013, the emergence of Cryptolocker marked a significant shift in the ransomware landscape, enabling threat actors to cut off victims’ access to their files and recover data as it introduced public key cryptography to encrypt said files.
This introduced the trend of demanding large sums of money in exchange for granting access to victims’ files.
Since then, ransomware has continued to evolve, with the emergence of new families of ransomware such as Locky, WannaCry, and Petya/NotPetya.
These newer variants often have advanced features such as worm-like capabilities that allow them to spread rapidly across networks and the use of advanced evasion techniques to avoid detection by security solutions.
Ransomware attacks on the healthcare industry have also evolved significantly over the years.
Having begun spreading ransomware indiscriminately through spam emails and exploit kits, attackers have evolved to use a greater sophistication of methods.
Given the circumstance where patients’ lives might be at risk, the healthcare sector must minimise its risk and prioritise information protection by any means necessary
Ransomware attacks in healthcare have become increasingly more targeted, with attackers conducting reconnaissance to identify and extort the most-vulnerable targets.
With sensitive and critical information at stake, healthcare organisations are naturally more-compelling targets for ransomware groups as they are more likely to pay the ransoms in question, due to prioritising patient care.
The largest ransomware attack on a hospital in 2022 was the US-based CommonSpirit ransomware attack that compromised the data of 623,000 patients.
And, in June 2023, the Clop ransomware group stole the personal and health information of 490,000 individuals in a ransomware attack on IntelliHARTx, a healthcare payments technology.
Illustrating the financial toll that ransomware can take, US-based Scripps Health not only paid £2.8m to the victims of its 2021 data breach, but due to a month-long outage, cited a loss of close to £89m in revenue.
Many healthcare organisations have outdated or inadequate cyber defences due to inconsistent upgrading of technologies across different hospitals
There has also been a rise in information stealers ‘Infostealers’ as they are now more commonly referred to, which, as the name suggests, are specialised malware that is designed with the primary function of stealing information.
While various types of malware, such as Remote Access Trojans (RATs) and certain ransomware families, may possess this capability, Infostealers specifically focus on this function, often targeting specific types of data for theft.
Most healthcare organisations also tend to hold onto outdated or inadequate cyber security measures, due to inconsistent upgrading of technologies across different hospitals in different places.
Attackers are likely to take advantage of this and deploy double-extortion tactics wherein they not only encrypt victims’ data, but also threaten to publicly release it if ransom is not paid.
The double-extortion tactic is the most-recently-observed development in threat tactics, first emerging in 2019.
Cyber threats borne out of AI
As time evolves, so too does technology, and the threat landscape along with it.
For example, while AI isn’t by any means ‘new,’ the advances made in generative AI and large language models (LLMs) are setting new benchmarks for what is possible for healthcare organisations.
This evolution in AI technology does, however, provide adversaries and defenders with greater means and tools for attack and defense.
In the realm of healthcare, the risks are amplified even more due to the delicate character of the data that could potentially be disclosed through these tools.
There is significant concern in the healthcare industry about the potential for unintentional breaches of patient data by internal teams who use LLMs to enhance efficiency and scalability.
Remember the best defence is a good offence and this means conducting regular training and tests for employees to ensure that policies and patches are up to date and deploying layered email security to help detect and cleanse malicious emails
While the potential benefits of these tools could be substantial, there are still multiple security risks that need to be considered and addressed. Therefore, a risk-to-benefit approach is the recommended way forward.
Moreover, due to their reliance on third-party vendors, healthcare organisations face an increased risk of exposure.
These third-party vendors are more likely to incorporate Generative AI or LLMs into their products, which raises some concerns about the potential loss of control over patient data used for training these models.
Finally, LLMs’ capability to create highly-personalised and targeted messages increases the sophistication and risk of phishing and social engineering attacks, which requires extra vigilance on the part of every user, especially those in the healthcare sector.
In fact, we have already started to see specifically-designed AI tools for nefarious purposes such as ‘FraudGPT’, ‘WormGPT’ and ‘EvilGPT.’
Trustwave continues to monitor this emerging trend, while keeping an eye on opportunities for risk reduction on the client side.
Mitigation strategies
Given the circumstance where patients’ lives might be at risk, the healthcare sector must minimise its risk and prioritise information protection by any means necessary.
Some of these measures include:
- Conducting regular penetration tests to pro-actively identify vulnerabilities and weaknesses in systems, networks, and applications
- Conducting both recurring and quick patching, which involves applying updates to software systems, and promptly addressing newly-discovered vulnerabilities, which will help close security gaps and minimise exposure to potential cyber attacks
- Decreasing the time to remediation to have a significant impact on exposure and reduce the window of exploitation
- Running continuous threat hunting through environments for undetected compromises
- Formalising and regularly testing Incident Response Policies for the scenarios that will most likely impact an organisation
- Remember the best defence is a good offence and this means conducting regular training and tests for employees to ensure that policies and patches are up to date and deploying layered email security to help detect and cleanse malicious emails
- Using host-based anti-malware tools that can assist in identifying and quarantining specific malware, but it should be noted that these have limitations and are often circumvented by custom malware packages
- Regularly backing up data to help ensure the ability to recover from a ransomware attack or other types of data loss. Back-ups should be stored offsite, and verification should be conducted so that they can be restored
- Maintaining an inventory management system for all medical devices and associated software, including vendor-developed software components, operating systems, version, and model numbers
- Implementing a routine vulnerability scan before installing any new medical device or technology onto the operating IT network
- When it comes to AI threats, organisations should be evaluating security solutions with Generative AI and LLMs in mind. This includes choosing security tools or partners that can detect AI-generated threats like advanced phishing
- While Generative AI tools still have inherent risks, healthcare organisations, like all entities, will need to determine how to govern the tools versus instituting broad-based bans
Conclusion
The healthcare sector is not alone in facing these attacks. However, the industry faces unique risks and implications.
Data shows that cyber attacks are picking up pace and the financial impact of them is only growing.
Thankfully technology, alongside intelligent tactics that utilise both cutting-edge innovation as well as behavioural analysis, is helping to identify the risks and the bad actors with greater efficiency.
Businesses and healthcare providers must accept the fact that they will never be 100% secure, new threats will always be on the horizon, but by partnering with a pro-active cyber security partner, they can rest assured that these new threats are being tracked and that they are not alone in the fight against these cyber criminals.
